Do not create openvpn-credentials.txt nor transmission-credentials.txt when using secrets

[vic1707]

Is there a pinned issue for this?

• I have read the pinned issues and could not find my issue

Is there an existing or similar issue/discussion for this?

• I have searched the existing issues
• I have searched the existing discussions

Is there any comment in the documentation for this?

• I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to a provider?

• I have checked the provider repo for issues
• My issue is NOT related to a provider

Are you using the latest release?

• I am using the latest release

Have you tried using the dev branch latest?

• I have tried using dev branch

Docker run config used

secrets:
    ## TRANSMISSION
    openvpn_creds:
        file: "$PWD/secrets/ovpn-credentials.txt"
    rpc_creds:
        file: "$PWD/secrets/transmission-rpc-credentials.txt"

services:
    transmission:
        container_name: transmission
        sysctls:
            - net.ipv6.conf.all.disable_ipv6=1
        security_opt:
            - no-new-privileges=true
        restart: always
        image: docker.io/haugene/transmission-openvpn:5.3.1
        privileged: true #  needed to acces /dev/net/tun
        networks:
            shared:
                ipv4_address: 10.99.0.4
        environment:
            TZ: Europe/Paris
            GLOBAL_APPLY_PERMISSIONS: false
            OPENVPN_OPTS: --inactive 3600 --ping 10 --ping-exit 60
            TRANSMISSION_RPC_AUTHENTICATION_REQUIRED: true
            TRANSMISSION_SCRIPT_TORRENT_DONE_ENABLED: true
            TRANSMISSION_SCRIPT_TORRENT_DONE_FILENAME: /config/keep_torrent_file.sh
            TRANSMISSION_WEB_UI: flood-for-transmission
            WEBPROXY_ENABLED: false
            ## Wish I could remove ##
            CREATE_TUN_DEVICE: false
            DISABLE_PORT_UPDATER: true
            ##############
            ##   .env   ##
            ##############
            OPENVPN_CONFIG: netherlands
            OPENVPN_PROVIDER: PIA
            OPENVPN_USERNAME: "**None**"
            OPENVPN_PASSWORD: "**None**"
        secrets:
            - openvpn_creds
            - rpc_creds
        volumes:
            - ./transmission/data:/data:rw
            - ./transmission/config:/config
        devices: # wish I could remove
            - /dev/net/tun

Current Behavior

Everything works fine but when inspecting the content of the config dir mounted locally I realized that it was

  zsh ❯ tree $PWD
/Users/vic1707/Documents/Projects/homelab-config/marina/prod/containers/transmission/config
├── openvpn-credentials.txt
├── transmission-credentials.txt
└── transmission-home
    ├── bandwidth-groups.json
    ├── blocklists
    ├── resume
    ├── settings.json
    ├── torrents
    └── transmission.log

5 directories, 5 files

And upon reading the content of openvpn-credentials.txt & transmission-credentials.txt I realized that the credentials were in plain text. And as said in the logs:

2024-09-03 23:22:06 WARNING: file '/config/openvpn-credentials.txt' is group or others accessible

I can understand it being that way when using env vars but when using secrets I feel like those files shouldn't exist.

Expected Behavior

When using secrets the corresponding file containing credentials shouldn't be created as it defies the purpose of using the secrets (openvpn-credentials.txt, transmission-credentials.txt)

How have you tried to solve the problem?

Nothing to do on my side i think except mounting /config/transmission-home instead of /config ?

Log output

[transmission] | Starting container with revision: 07f5a2b9aea5028c9bb75438c1552708e91dde71
[transmission] | TRANSMISSION_HOME is currently set to: /config/transmission-home
[transmission] | Using OpenVPN provider: PIA
[transmission] | Running with VPN_CONFIG_SOURCE auto
[transmission] | Provider PIA has a bundled setup script. Defaulting to internal config
[transmission] | Executing setup script for PIA
[transmission] | Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.j4DOrGyxqT
[transmission] | Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
[transmission] | Starting OpenVPN using config netherlands.ovpn
[transmission] | Modifying /etc/openvpn/pia/netherlands.ovpn for best behaviour in this container
[transmission] | Modification: Point auth-user-pass option to the username/password file
[transmission] | Modification: Change ca certificate path
[transmission] | Modification: Change ping options
[transmission] | Modification: Update/set resolv-retry to 15 seconds
[transmission] | Modification: Change tls-crypt keyfile path
[transmission] | Modification: Set output verbosity to 3
[transmission] | Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
[transmission] | Modification: Updating status for config failure detection
[transmission] | Setting OpenVPN credentials...
[transmission] | 2024-09-03 23:22:06 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
[transmission] | 2024-09-03 23:22:06 WARNING: file '/config/openvpn-credentials.txt' is group or others accessible
[transmission] | 2024-09-03 23:22:06 OpenVPN 2.5.9 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
[transmission] | 2024-09-03 23:22:06 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
[transmission] | 2024-09-03 23:22:06 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
[transmission] | 2024-09-03 23:22:06 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
[transmission] | MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
[transmission] | EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
[transmission] | cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
[transmission] | HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
[transmission] | ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
[transmission] | aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
[transmission] | MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
[transmission] | 9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
[transmission] | jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
[transmission] | B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
[transmission] | ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
[transmission] | 5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
[transmission] | MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
[transmission] | -----END X509 CRL-----
[transmission] | 
[transmission] | 2024-09-03 23:22:06 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.206.62:1198
[transmission] | 2024-09-03 23:22:06 Socket Buffers: R=[212992->212992] S=[212992->212992]
[transmission] | 2024-09-03 23:22:06 UDP link local: (not bound)
[transmission] | 2024-09-03 23:22:06 UDP link remote: [AF_INET]181.214.206.62:1198
[transmission] | 2024-09-03 23:22:06 TLS: Initial packet from [AF_INET]181.214.206.62:1198, sid=5eae8d31 65de3753
[transmission] | 2024-09-03 23:22:06 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
[transmission] | 2024-09-03 23:22:06 VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, [email protected]
[transmission] | 2024-09-03 23:22:06 VERIFY KU OK
[transmission] | 2024-09-03 23:22:06 Validating certificate extended key usage
[transmission] | 2024-09-03 23:22:06 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
[transmission] | 2024-09-03 23:22:06 VERIFY EKU OK
[transmission] | 2024-09-03 23:22:06 VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=amsterdam427, name=amsterdam427
[transmission] | 2024-09-03 23:22:06 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA512
[transmission] | 2024-09-03 23:22:06 [amsterdam427] Peer Connection Initiated with [AF_INET]181.214.206.62:1198
[transmission] | 2024-09-03 23:22:06 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.15.112.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.15.112.159 255.255.255.0,peer-id 11,cipher AES-128-GCM'
[transmission] | 2024-09-03 23:22:06 OPTIONS IMPORT: timers and/or timeouts modified
[transmission] | 2024-09-03 23:22:06 OPTIONS IMPORT: compression parms modified
[transmission] | 2024-09-03 23:22:06 OPTIONS IMPORT: --ifconfig/up options modified
[transmission] | 2024-09-03 23:22:06 OPTIONS IMPORT: route options modified
[transmission] | 2024-09-03 23:22:06 OPTIONS IMPORT: route-related options modified
[transmission] | 2024-09-03 23:22:06 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
[transmission] | 2024-09-03 23:22:06 OPTIONS IMPORT: peer-id set
[transmission] | 2024-09-03 23:22:06 OPTIONS IMPORT: adjusting link_mtu to 1625
[transmission] | 2024-09-03 23:22:06 OPTIONS IMPORT: data channel crypto options modified
[transmission] | 2024-09-03 23:22:06 Data Channel: using negotiated cipher 'AES-128-GCM'
[transmission] | 2024-09-03 23:22:06 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
[transmission] | 2024-09-03 23:22:06 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
[transmission] | 2024-09-03 23:22:06 net_route_v4_best_gw query: dst 0.0.0.0
[transmission] | 2024-09-03 23:22:06 net_route_v4_best_gw result: via 10.99.0.1 dev eth0
[transmission] | 2024-09-03 23:22:06 ROUTE_GATEWAY 10.99.0.1/255.255.255.192 IFACE=eth0 HWADDR=9a:cc:45:c0:5c:79
[transmission] | 2024-09-03 23:22:06 GDG6: remote_host_ipv6=n/a
[transmission] | 2024-09-03 23:22:06 net_route_v6_best_gw query: dst ::
[transmission] | 2024-09-03 23:22:06 sitnl_send: rtnl: generic error (-101): Network is unreachable
[transmission] | 2024-09-03 23:22:06 ROUTE6: default_gateway=UNDEF
[transmission] | 2024-09-03 23:22:06 TUN/TAP device tun0 opened
[transmission] | 2024-09-03 23:22:06 net_iface_mtu_set: mtu 1500 for tun0
[transmission] | 2024-09-03 23:22:06 net_iface_up: set tun0 up
[transmission] | 2024-09-03 23:22:06 net_addr_v4_add: 10.15.112.159/24 dev tun0
[transmission] | 2024-09-03 23:22:06 net_route_v4_add: 181.214.206.62/32 via 10.99.0.1 dev [NULL] table 0 metric -1
[transmission] | 2024-09-03 23:22:06 net_route_v4_add: 0.0.0.0/1 via 10.15.112.1 dev [NULL] table 0 metric -1
[transmission] | 2024-09-03 23:22:06 net_route_v4_add: 128.0.0.0/1 via 10.15.112.1 dev [NULL] table 0 metric -1
[transmission] | 2024-09-03 23:22:06 WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
[transmission] | 2024-09-03 23:22:06 add_route_ipv6(2000::/3 -> :: metric -1) dev tun0
[transmission] | 2024-09-03 23:22:06 net_route_v6_add: 2000::/3 via :: dev tun0 table 0 metric -1
[transmission] | 2024-09-03 23:22:06 sitnl_send: rtnl: generic error (-13): Permission denied
[transmission] | 2024-09-03 23:22:06 ERROR: Linux IPv6 route can't be added
[transmission] | Up script executed with device=tun0 ifconfig_local=10.15.112.159
[transmission] | Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.15.112.159
[transmission] | Using Flood for Transmission UI, overriding TRANSMISSION_WEB_HOME
[transmission] | 
[transmission] | -------------------------------------
[transmission] | Transmission will run as
[transmission] | -------------------------------------
[transmission] | User name:   root
[transmission] | User uid:    0
[transmission] | User gid:    0
[transmission] | -------------------------------------
[transmission] | 
[transmission] | Updating Transmission settings.json with values from env variables
[transmission] | Attempting to use existing settings.json for Transmission
[transmission] | Could not read existing settings.json. Generating settings.json for Transmission from environment and defaults /etc/transmission/default-settings.json
[transmission] | Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.15.112.159
[transmission] | Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /data/completed
[transmission] | Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /data/incomplete
[transmission] | Overriding rpc-authentication-required because TRANSMISSION_RPC_AUTHENTICATION_REQUIRED is set to True
[transmission] | Overriding rpc-password because TRANSMISSION_RPC_PASSWORD is set to [REDACTED]
[transmission] | Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 9091
[transmission] | Overriding rpc-username because TRANSMISSION_RPC_USERNAME is set to vic1707
[transmission] | Overriding script-torrent-done-enabled because TRANSMISSION_SCRIPT_TORRENT_DONE_ENABLED is set to True
[transmission] | Overriding script-torrent-done-filename because TRANSMISSION_SCRIPT_TORRENT_DONE_FILENAME is set to /config/keep_torrent_file.sh
[transmission] | Overriding watch-dir because TRANSMISSION_WATCH_DIR is set to /data/watch
[transmission] | sed'ing True to true
[transmission] | STARTING TRANSMISSION
[transmission] | Transmission startup script complete.
[transmission] | 2024-09-03 23:22:06 Initialization Sequence Completed
^C
[transmission] | time="2024-09-03T23:28:25+02:00" level=error msg="Failed to write input to service: read /dev/stdin: input/output error"
[transmission] | 2024-09-03 23:28:25 event_wait : Interrupted system call (code=4)
[transmission] | 2024-09-03 23:28:25 /etc/openvpn/tunnelDown.sh tun0 1500 1553 10.15.112.159 255.255.255.0 init
[transmission] | resolv.conf was restored
[transmission] | 2024-09-03 23:28:25 WARNING: Failed running command (--up/--down): external program did not exit normally
[transmission] | 2024-09-03 23:28:25 Exiting due to fatal error

HW/SW Environment

Realistically any OS and environment 

- OS: MacOS Sonoma 14.6.1 (23G93)
- ~~Docker~~ Podman: 5.2.2

Anything else?

I hope I didn't miss any existing issue when looking for it 🙏
I could also be misunderstanding the way secrets work or should be used

[vic1707]

Looking at the code for a naive workaround or solution I feel like
instead of

docker-transmission-openvpn/openvpn/start.sh

Line 204 in fd609f2

cp /run/secrets/openvpn_creds /config/openvpn-credentials.txt

the container could simply do a symlink ?

- cp /run/secrets/openvpn_creds /config/openvpn-credentials.txt
+ ln -fs /run/secrets/openvpn_creds /config/openvpn-credentials.txt

I'll make some tests in the coming days if I can find time.